Cyber Threat Alliance’s Michael Daniel on Election Security

Cyber Threat Alliance’s Michael Daniel on Election Security
Carol Hildebrand

Having spent five years developing national cybersecurity strategy and policy for the Obama administration, Michael Daniel is well aware of the impact cybercriminals can have on election security. And as the CEO of the nonprofit Cyber Threat Alliance (CTA), he’s working to keep our digital ecosystems secure via cyberthreat information-sharing among companies in the cybersecurity field. (Full disclosure: NETSCOUT is a CTA member.) With the United States facing a presidential election in which cybersecurity is a significant concern, Hardik Modi, NETSCOUT area vice president, threat and mitigation products, sat down to discuss the topic with Daniel.

Daniel and Modi Headshots

Hardik Modi: We’ve seen cyberthreats and threat actors target elections globally for some time now. How do you think it has changed since our last presidential election?

Michael Daniel: The effect is similar to what we see in other industries, which I find fascinating. In many ways, elections can be viewed as a vertical industry sector—it differs because elections are run by state and local governments, but it is a sector. And we are seeing the same thing that has happened in industries such as healthcare and financial services: as elections shifted to a digital environment, we didn’t think through all of the different ways the threat profile changed. But although the threats in a technical sense are not radically different from those of other sectors, the potential for impact is very different due to the core nature of elections. Prior to 2016, we thought of cyberthreats to the election process in terms of espionage. But what we’ve seen since then has been a big expansion across multiple different facets of the electoral sector.

Modi: Could you explain those facets?

Daniel: Cyberthreats to our elections fall into three categories:

  1. Threats to political campaign organizations, such as the Republican and Democrat national committees, or high-profile campaigns such as the presidential or some Senate races. Long-standing threats such as espionage remain, but as we’ve seen, the threats in this category also now include acquiring and weaponizing information.
  1. Threats to the electoral infrastructure. This infrastructure comprises the highly decentralized systems and processes that enable state and local governments to conduct elections. It consists of everything from voter registration databases to voting machines and vote tallying. Threats in this category would be aimed at disrupting the voting process and casting doubt on the outcome.
  1. Threats to the general information environment, which runs from social media to news organizations. This category is where we see efforts to poison the information space with misinformation. And while such questionable practices date back to the 19th century, today’s digital world means that it’s happening at a pace and scale we are not used to.

Modi: And when everything is in a database, it’s a whole cascade of groups—not just the official campaign, but outside support groups. Does this also trickle down to the local and municipal level?

Daniel: Well, as we see in every vertical, big companies have more money to put into security, and the same goes with the electoral sector. National campaigns have more money and expertise, and the chances are that they won’t fall for simple stuff. But with a local house or state race, these tactics might work. And keep in mind that while we focus a lot on entities such as the Russians as players, there are plenty of other actors out there, including homegrown folks that might have an axe to grind. And it’s going to be more crowded with each election cycle. But keep in mind that while our decentralized system can vulnerable at any one point, it’s very difficult to attack as a whole.

Modi: I would imagine that threat actors could hit all of those buckets with attacks that could impact the election in ways we don’t necessarily expect. For example, although you might think of an availability-based attack in terms of taking down access to items in the infrastructure bucket, such an attack could move across all three areas. Think, for example, of a DDoS attack on the Associated Press on election day—that cuts into the availability of important information such as voting results. Where do you see this potentially playing out when thinking of availability in an election scenario?

Daniel: A lot of what we think about in this regard are threats aimed at shaping perception. Your AP example is a good one—if the AP is affected by something like a DDoS attack, an information base for content such as election maps disappears. Does that have an impact on the people counting the votes? No, but it absolutely affects public perception of how the election is going. Or let’s say somebody posts a YouTube video of a voting machine being hacked and says this had been done to thousands of machines across the U.S., and good luck finding them. But here’s the kicker: it’s not a real hack, and the voting machines were not affected. The whole point of the video wasn’t to hack machines but rather to fuel uncertainty and doubt about the validity of the election.

The U.S. response in 2016 to Russian probing of voter registration databases made it very clear that actually messing with the infrastructure that carried out the voting process would be treated very seriously and with pretty significant retaliation. That’s one reason I think we’ve seen less activity in that category and more emphasis on misinformation. However, we need to make a critical point. U.S. citizens should realize that small process irregularities happen in every election, and these irregularities don’t mean the process itself has fallen apart.

Modi: Sorting through the information space gets really complicated. I’m reminded of [FBI director] Christopher Wray holding a public briefing on Russian misinformation campaigns. In his view, the danger lies in the level of noise becoming so great that voters become desensitized and lose confidence.

Daniel: It’s a fascinating question. Camille François at Graphika talks about this—did all that Russian activity in 2016 change anybody’s mind about their vote? There’s no research to answer that, but at the very least, it undermines voter confidence in the results. So yes, the threat is real, but we need to retain confidence in our election process. Keep in mind that the Russians don’t want to necessarily change the outcome, but rather to degrade our confidence in the electoral process itself. There are all sorts of reasons that we want to take steps to make sure voters are not being disenfranchised and that everybody legally permitted to vote can do so. But I also think we shouldn’t get overly pessimistic about our ability to conduct elections.

Modi: All of this is thought provoking. Even for those with a background in cyberthreat research, it’s pretty clear that we still have a lot to learn. The ongoing worldwide DDoS extortion campaign is a perfect example. It reminds me that attackers can make an impact with techniques we knew about in 2015.

Daniel: Absolutely right. Since we can’t succeed against all adversaries all the time, it’s necessary to have an incident response plan in place. That’s one reason the CTA has an election security working group ready to provide support in the event something goes haywire. We need to accept the fact that we may be surprised, and we need a plan to get unsurprised as rapidly as possible.

Modi: That sounds like a good step toward getting more systematic about these things.

Daniel: The next phase is to take that overused term of public-private partnership and make it more effective. I see the CTA as a leverage point for making that happen, given our reach across the cybersecurity industry. For example, we’ve been spending lot of time working with the World Economic Forum on what a policy construct would look like for the public and private sectors to work together on cybercrime and have an impact at scale. And that means thinking about processes in a different way that enables groups to come together when they’ve never had to do it before. Take that global DDoS campaign you referenced earlier, for example. How could we use the CTA or a similar nonprofit as a locus for a threat cell—a short-term group that brings together government, telecoms, and cybersecurity companies to synchronize their activities against that DDoS threat? Maybe we can’t arrest the perpetrators, but we can knock them back for a bit.

Modi: And looking forward, those partnerships could be used to combat concerns about election security.

Daniel: Yes, and that’s important. When we look at what we have to do in the elections sector, such a process could prove significant. Because the fact that elections are run locally is a good thing, but to expect each local group to take on a Russian intelligence agency by itself is ludicrous. That’s why we need to develop this ability to bring together different elements from the public and private sectors to collaborate on operations as well as to share information.

Learn more about NETSCOUT Threat Intelligence

Learn more about the Cyber Threat Alliance